A class action has been filed in the Federal Court in respect of the Medibank data breach, funded by large domestic litigation funder Omni Bridgeway. The claim reportedly includes causes of action based on breaches of contract, Australian Consumer Law and equitable obligations of confidence. The claim has been filed in the context of a separate class action style claim being commenced via the Office of the Australian Information Commissioner (which is being pursued collectively by three other law firms).

The Federal Court Claim is a significant development as it sees the first major class action for privacy breach related loss commenced directly in the Federal Court. To date, collective actions for data breaches have been commenced via the Office of the Australian Information Commissioner, and this has meant they have needed to wait out the Privacy Commissioner’s investigation (which can be very lengthy process, and potentially lead to a Federal Court claim in any event) and has meant the claims are in the relatively untested world of compensation for breaches of the Privacy Act. The Federal Court action sees a direct Federal Court claim avoiding this process. It also frames the claim for compensation around accepted causes of action and compensatory provisions (such as obligations under the Australian Consumer Law), rather than relying upon the development of jurisprudence specifically on the right to privacy (something not yet developed in Australia) or the level of monetary compensation under the Privacy Act. It has the potential to break new ground in respect of how these conventional causes of action interplay with the context of a data breach, how loss emerging from such breaches can be valued (including non-economic losses, and non-immediate losses) and what duties are imposed on the holders of data.

Key points for health care clients:

  • The Medibank Federal Court claim is significant because it sets an example for how a direct class action claim can be made in the Federal Court in respect of a data breach.
  • If successful (either on a settlement basis or on judgment) it has the potential to be a roadmap for litigation funders and plaintiff lawyers as to how class action style claims can be made following data breaches. This is likely to lead to an increased appetite for funding and running class actions in respect of data breaches.
  • The Medibank claim may be an archetypal vehicle to test these points because of the uniquely sensitive nature of the health data in the relevant set (including data related to medical procedures and mental health treatment). It is possible that the precedent which emerges from the case is focused specifically on health data, and is relevant to duties under consumer contracts and the ACL and assessment of loss that accrues in respect of those breaches.
  • The Federal Court Claim is backed by a litigation funder, and so it can be assumed that an assessment of significant claim value has been made.